Characterization of Permutations

Component Functions

An ${\displaystyle (n,n)}$-function ${\displaystyle F}$ is a permutation if and only if all of its components Failed to parse (syntax error): {\displaystyle f_λ} for ${\displaystyle \lambda \in \mathbb {F} _{2^{n}}^{*}}$ are balanced.

Autocorrelation Functions of the Directional Derivatives

For any boolean function ${\displaystyle f}$, we denote by ${\displaystyle {\mathcal {F}}(f)}$ the following value related to the Fourier (or Walsh) transform of ${\displaystyle f}$:

${\displaystyle {\mathcal {F}}(f)=\sum _{x\in \mathbb {F} _{2^{n}}}(-1)^{f(x)}=2^{n}-2wt(f).}$

The characterization in terms of the component functions given above can be equivalently expressed as

${\displaystyle \sum _{a\in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any Failed to parse (syntax error): {\displaystyle λ\in\mathbb{F}^*_{2^n}} .

Equivalently ^[1], ${\displaystyle F}$ is a permutation if and only if

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

for any ${\displaystyle a\in \mathbb {F} _{2^{n}}^{*}}$.

Characterization of APN Permutations

Up to CCZ-equivalence, all of the APN permutations known so far belong to a few families, namely:^[2]

1. APN monomial functions in odd dimension.

2. One infinite family of quadratic polynomials in dimension ${\displaystyle 3n}$, with ${\displaystyle n}$ odd and ${\displaystyle gcd(n,3)=1}$.^[3]

3. Dillon's permutation in dimension 6.^[4]

4. Two sporadic quadratic APN permutations in dimension 9.^[5]

On the component functions

Clearly we have that no component function can be of degree 1. (This result is true for general APN maps)

For ${\displaystyle n}$ even we have also that no component can be partially-bent^[6]. This implies that, in even dimension, no component can be of degree 2.

Autocorrelation Functions of the Directional Derivatives

An ${\displaystyle (n,n)}$-function ${\displaystyle F}$ is an APN permutation if and only if ^[1]

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}(D_{a}f_{\lambda })=-2^{n}}$

and

${\displaystyle \sum _{\lambda \in \mathbb {F} _{2^{n}}^{*}}{\mathcal {F}}^{2}(D_{a}f_{\lambda })=2^{2n}}$

for any ${\displaystyle a\in \mathbb {F} _{2^{n}}^{*}}$.

On APN Power Functions

For ${\displaystyle n}$ odd, all power APN functions and the known APN binomials are permutations. When ${\displaystyle n}$ is even, no APN function exists in a class of permutations including power permutations.

Specifically:

If a power function ${\displaystyle F(x)=x^{d}}$ over ${\displaystyle \mathbb {F} _{2^{n}}}$ is APN, then for every ${\displaystyle x\in \mathbb {F} _{2^{n}}}$ we have ${\displaystyle x^{d}=1}$ if and only if ${\displaystyle x^{3}=1}$, that is, ${\displaystyle F^{-1}(1)=\mathbb {F} _{4}\cap \mathbb {F} _{2^{n}}^{*}.}$

If ${\displaystyle n}$ is odd, then ${\displaystyle gcd(d,2^{n}-1)=1}$ and, if ${\displaystyle n}$ is even, then ${\displaystyle gcd(d,2^{n}-1)=3}$.

Consequently, APN power functions are permutations if ${\displaystyle n}$ is odd, and are three-to-one over ${\displaystyle \mathbb {F} _{2^{n}}^{*}}$ if ${\displaystyle n}$ is even.^[7]

APN Permutations and Codes

The (Hamming) weight of any vector ${\displaystyle x\in \mathbb {F} _{2}^{n}}$ is denoted by ${\displaystyle wt(x)}$, and the (Hamming) distance between any two vectors ${\displaystyle x}$ and ${\displaystyle y}$ from ${\displaystyle \mathbb {F} _{2}^{n}}$ is denoted by ${\displaystyle d(x,y)}$. Any linear subspace ${\displaystyle C}$ of ${\displaystyle \mathbb {F} _{2}^{n}}$ of dimension ${\displaystyle k}$ is called a binary linear code of length ${\displaystyle n}$ and dimension ${\displaystyle k}$ and is denoted by ${\displaystyle [n,k,d]}$, where ${\displaystyle d}$ is the minimum Hamming distance of ${\displaystyle C}$.

Any linear ${\displaystyle [n,k,d]}$ code ${\displaystyle C}$ is associated with its dual ${\displaystyle [n,n-k,d^{\perp }]}$ code, denoted by ${\displaystyle C^{\perp }}$ and defined as ${\displaystyle C^{\perp }=\{x\in \mathbb {F} _{2}^{n}\;|\;c\cdot x=0,\;\forall c\in C\}.}$

Let ${\displaystyle {\mathcal {H}}}$ be a binary ${\displaystyle (r\times n)}$ matrix. We say that a linear binary code ${\displaystyle C}$ of length ${\displaystyle n}$ is defined by the parity check matrix ${\displaystyle {\mathcal {H}}}$ if ${\displaystyle C=\{c\in \mathbb {F} _{2}^{n}\;|\;c{\mathcal {H}}^{t}=0\},}$ where ${\displaystyle {\mathcal {H}}^{t}}$ is the transposed matrix of ${\displaystyle {\mathcal {H}}}$.

Let ${\displaystyle F:\mathbb {F} _{2^{n}}\rightarrow \mathbb {F} _{2^{n}}}$ be APN, with ${\displaystyle F(0)=0}$.

${\displaystyle F}$ is CCZ-equivalent to an APN permutation if and only if ${\displaystyle C_{F}^{\perp }}$ is a double simplex code (i.e. ${\displaystyle C_{F}^{\perp }=C_{1}\oplus C_{2}}$, where ${\displaystyle C_{1},C_{2}}$ are ${\displaystyle [2^{n}-1,n,2^{n-1}]-}$codes).^[8]

An APN Permutation in Dimension 6

In his paper ^[9], Hou conjectured that APN permutations did not exist in even dimension. He proved the following theorem that covers the case of ${\displaystyle n=4}$:

Let ${\displaystyle F\in \mathbb {F} _{2^{n}}[x]}$ be a permutation polynomial with ${\displaystyle n=2m}$. Then:

1. If ${\displaystyle n=4}$, then ${\displaystyle F}$ is not APN.

2. If ${\displaystyle F\in \mathbb {F} _{2^{m}}[x]}$, then ${\displaystyle F}$ is not APN.

The question of whether APN permutations exist in even dimension was a long-standing problem until, in 2009, Dillon presented an APN permutation (of algebraic degree ${\displaystyle n-2}$ and nonlinearity ${\displaystyle 2^{n-1}-2^{n/2}}$) in dimension 6^[4].

This function is CCZ-equivalent to the Kim function ${\displaystyle \kappa (x)=x^{3}+x^{10}+ux^{24}}$ (where ${\displaystyle u}$ is a primitive element of ${\displaystyle \mathbb {F} _{2^{6}}}$), whose associated code ${\displaystyle C_{F}^{\perp }}$ is therefore a double simplex code. It was used later in the cryptosystem Fides^[10], which has been subsequently broken due to its weaknesses in the linear component.

Dillon's function is also EA-equivalent to an involution and it is studied further in the introduction of the butterfly construction^[11]. Unfortunately, this construction does not allow obtaining APN permutations in more than six variables^[12].

The Big Open APN Problem

The question of existence of APN permutations in even dimension ${\displaystyle n\geq 8}$ remains open. There exist nonexistent results within the following classes:

1. Plateaued functions (when APN, they have bent components);

2. A class of functions including power functions;

3. Functions whose univariate representation coefficients lie in ${\displaystyle \mathbb {F} _{2^{n/2}}}$, or in ${\displaystyle \mathbb {F} _{2^{4}}}$ for ${\displaystyle n}$ divisible by 4; ^[9]

4. Functions whose univariate representation coefficients satisfy ${\displaystyle \sum _{i=0}^{(2^{n}-1)/3}a_{3i}=0}$; ^[13]

5. Functions having at least one partially-bent component^[6].

References